MD-VPN service description
The GÉANT MD-VPN service is delivered by seamless transport infrastructure that is able to transport L3VPN (IPv4/IPv6), point-to-point L2VPN and in a near future (GN4) multipoint L2VPN over several network providers (domains). The most important interest of MD-VPN is that now providing any kind of VPN over European educational and scientist sites are now easy and fast. We expect that MD-VPN service will be a useful tool to foster the European educational and scientist collaboration.
The service is delivered jointly by NRENs and the pan-European network GÉANT and NORDUnet; This infrastructure can be joint by regional, metropolitan or campus network, campus and the MD-VPN service is in this way extended over these regional, metropolitan or campus networks.
The service is delivered to end-users over a point called Service Demarcation Point (SDP) at the edge of the NRENs or Regional Networks. In practice, the way the service is delivered to the end-users depends on NRENs but a widespread practice is:
- For L3VPN in IP packets form
- For point to point layer 2 circuit (i.e. Point-to-Point L2VPN) and Multipoint L2VPN (VPLS) in 802.1q packets form over dedicated VLANs or in a dedicated port;
Figure 1: MD-VPN infrastructure
This infrastructure allows the end-users (scientist, etc) of the IPv4/IPv6 or Layer2 networks to work as if their networks where coupled together directly (the intermediate networks are transparent for end-users). A typical scenario would be an international collaboration where a project wants to connect a number of sites from different physical locations to create a collaborative infrastructure as if they were in the same physical location; so the organization can access to the same level of security as all their sites would be in the same location. This security improvement allows very performance achievement by avoiding the usage of firewall deep inspection like with standard IP. Distributed infrastructures like Grid, cloud or HPC can typically take benefit of MD-VPN.
The MD-VPN service also provides privacy amongst different instances (VPNs) of the service i.e. the content being sent back and forth between the different sites is kept in the private entity that owns the data. This is achieved because the data flows of the MD-VPN customer are isolated from any other traffic, standard IP traffic and traffic of other the MD-VPN customers.
Use Cases for GÉANT MD-VPN
There is a wide scope for GÉANT MD-VPN use, from the long-term infrastructure with intensive network usage to quick point-to-point services for a conference demonstration. The following cases give examples of how GÉANT MD-VPN can be used to support R&E collaboration;
- International Collaboration - Universities, labs and all scientific projects based on international collaboration will benefit from the use of GÉANT MD-VPN services as the end-to-end service demarcation and the ability to support "out of area" connections improve ease of use. LHCONE, ITER and CONFINE are examples of success. Future Internet projects are also target users for GÉANT MD-VPN using proxy services to provide outreach.
- Ad hoc P2P connections - For example conference demonstrations or P2P data transport between sites needed only rarely and only for short periods of time. The rapid deployment of VPNs will enable such projects to take advantage of the service whereas the time for deployment of earlier services would have been prohibitive. Distributed Infrastructure Services - Cloud service providers, Grid and HPC centres could offer services across VPNs to increase service assurance and to separate traffic flows for management and (possibly) billing purposes
- Scientific Infrastructure – GÉANT MD-VPN is ideally suited to hub and spoke network structures enabling access to centralised infrastructure projects. Also distributed networking for remote sensors could benefit from higher levels of assurance offered by VPNs
- Education – Ad hoc and semi-permanent VPNs can provide linkages between school and campus networks in a clearly separated manner. This can be used to support outreach projects and collaboration.
- Transparent Transport Services - As GÉANT MD-VPN can provide a transparent data transport, it can be used by high level network services like SDN, BoD and in general by future internet projects.
Case in which the site is not behind network provider MD-VPN aware
There is always a solution to connect the sites to VPN delivered via MD-VPN service even if the sites are connected behind a network provider that does not deploy MD-VPN or outside of the scope of GEANT MD-VPN service (Get more detail in "Site_connection_to_MD-VPN_service_V0.3.docx").
Thanks to VPN-Proxy, MD-VPN service is also capable to deliver its services (L3VPN, point to point layer 2 circuit (i.e. Point-to-Point L2VPN), Multi-point L2VPN) in the same way as L3VPN and GÉANT plus service (i.e. IP packets over a BGPs peering and a VLAN for layer 2 circuit). The usage of VPN-Proxy allows to connect NRENs that are not MPLS enabled.
Difference between the GÉANT VPN services
The purpose of GÉANT plus, L3VPN and MD-VPN GÉANT service are to provide a private interconnection amongst common research and education network users (collaborating on a single research project).
These services as all services delivered by GÉANT will be not used by NRENs directly but delivered by the NRENs or the Regional Network (RN) to end-users. From the end-users point of view these services delivered are the same but from the NREN point of view these services are different in the way that GÉANT delivered them to the NREN and in the border of service. GÉANT plus and L3VPN deliver their service at the border of GÉANT whereas MD-VPN aims to provide the service at end user site (end-to-end service).
Figure 3: MD-VPN service scope
The other important difference is the features that are provided by different services.
Table 1: feature comparison